When Security Measures Don’t Catch Anyone

Suppose you implement a security measure. Maybe it's a home alarm, maybe it's a security checkpoint before entering a building, it might even be putting tighter login requirements to a network.

You now sit back and wait to see how many people you catch. How many thieves trip your alarm and are hauled off to jail? How many corporate spies are now discovered at the checkpoint? How many crackers are denied entry into your network because of the new login protocol?

Suppose there are none. Why is that? I would imagine there are three main reasons.

No one was trying to break in before and no one is trying to break in now.

The security measures are not working.

Anyone who might try to break in sees the new measures and does not try to infiltrate, or at least does not try to infiltrate at that point.

Let's look at number 3 with a story about people improperly using a parking lot. Voltage HQ is in an office complex near a high school. Every morning when school is in session, there's a security guard standing at the entrance to the parking lot nearest the high school. In the past, parents dropping their kids off would turn around in the parking lot, creating congestion for the valid tenants. A sign posted saying the parking lot is not for turning around apparently did not do the trick. So the building owners have to hire a security guard to watch the people entering the parking lot.

Every morning, the security guard does nothing but stand there. With him there, no one tries to improperly use the parking lot. The moral of the story? Implement a security measure and you don't need it. Don't implement and you need it.

A recent episode of "Real Sports with Bryant Gumbel" supplies another example. The show reported on the governing body charged with enforcing drug rules for US Olympic (and potential Olympic) athletes. The program makes life much more difficult for the athletes, and some think it is not a successful program. The measure of failure is that very few athletes have been caught using banned substances. However, another explanation for the low rate of capture, is that people don't try to cheat if they think there is a good chance they'll get caught.

Some people try to use fake security for this very reason. Maybe they've seen that burglers rarely rob houses with Pit Bulls, Rottweilers, or German Shepherds. So they put up signs announcing a guard dog on duty, even when there is none. Fake surveillance cameras, signs declaring a home security system is installed, mannequins, recordings of people noise, and randomly turning lights on and off are supposed to make the bad guys move on to an easier target.

My guess is, such fake security is easily found out to be fake. It's probably a case that if you want security, you pretty much have to pony up for it.

In IT, fake security would work even less effectively. Someone might not pay for email encryption, but still say, "You can't read this email, it's encrypted." It would take very little effort to see that the statement is false. How about someone announcing that they have just implemented new measures to protect credit card numbers while in storage. That might thwart attackers for all of 10 minutes.

In IT, if you want security, fake won't do it. Besides, some attackers will be attracted to an enterprise that announces security, it's a challenge. They will test it immediately and of course, see immediately if it is fake.

So in IT, if you implement security measures, and describe exactly what they are, some attackers will indeed move on. Others will try to break it anyway, and others still will not have heard the announcement and will try to break in anyway. And then others will look for other vulnerabilities.

It seems to me, though, that if you have some metrics on attack attempts, employing security might cause those numbers to go down. Then you might feel as if the problem has gotten so much smaller, that you're spending too much money.

This is why it's probably a bit more difficult to sell security. If you don't have it, you see a problem. If you do have it, it looks as if the problem went away, so why spend money on it?

But the real way to look at is this: "We had a problem, we spent money on security, and the problem is now gone. The security worked."